MySQL Secure Deployment Guide  /  Installing the MySQL Password Validation Component

Chapter 6 Installing the MySQL Password Validation Component

The validate_password component serves to test passwords and improve security. The component exposes a set of system variables that enable you to define a password policy.

The component implements two capabilities:

  • In statements that assign a password supplied as a cleartext value, the component checks the password against the current password policy and rejects the password if it is weak. This affects the ALTER USER, CREATE USER, GRANT, and SET PASSWORD statements.

  • The VALIDATE_PASSWORD_STRENGTH() SQL function assesses the strength of potential passwords. The function takes a password argument and returns an integer from 0 (weak) to 100 (strong).

The validate_password component provides three levels of password checking: LOW, MEDIUM, and STRONG. The default is MEDIUM; controlled by the validate_password.policy system variable. The policies implement increasingly strict password tests.

In addition, the validate_password component can reject passwords that match the user name part of the effective user account for the current session, either forward or in reverse. To provide control over this capability, validate_password exposes a validate_password.check_user_name system variable, which is enabled by default.

To install and configure the password validation component:

  1. Ensure that the validate_password component library file is located in the MySQL plugin directory.

    shell> cd /path/to/mysql/lib/plugin/
    shell> ls component_v*
    component_validate_password.so

    Ensure that the plugin_dir is set to the server the MySQL plugin directory.

    mysql> SELECT @@plugin_dir;
    +--------------------------------------------+
    | @@plugin_dir                               |
    +--------------------------------------------+
    | /path/to/mysql/lib/plugin/                 |
    +--------------------------------------------+

    Install the validate_password component using the INSTALL COMPONENT statement:

    mysql> INSTALL COMPONENT 'file://component_validate_password';

    Component installation is a one-time operation that need not be done per server startup. INSTALL COMPONENT loads the component, and also registers it in the mysql.component system table to cause it to be loaded during subsequent server startups.

  2. Add these options under the [mysqld] option group in the MySQL configuration file (/etc/my.cnf) so that you can adjust them as necessary. The default values are used in this deployment.

    validate_password.policy=1
    validate_password.length=8
    validate_password.number_count=1
    validate_password.mixed_case_count=1
    validate_password.special_char_count=1
    validate_password.check_user_name=1
    • validate_password.policy=1

      The password policy enforced by validate_password. A value of 1 is MEDIUM. By default, the MEDIUM policy specifies that passwords must be at least 8 characters long, contain at least 1 numeric character, 1 lowercase character, 1 uppercase character, and 1 special (nonalphanumeric) character. 1 (MEDIUM) is the default setting.

    • validate_password.length=8

      The minimum number of characters that validate_password requires passwords to have.

    • validate_password.number_count=1

      The minimum number of lowercase and uppercase characters that validate_password requires passwords to have if the password policy is MEDIUM or stronger.

    • validate_password.mixed_case_count=1

      The minimum number of numeric (digit) characters that validate_password requires passwords to have if the password policy is MEDIUM or stronger.

    • validate_password.special_char_count=1

      The minimum number of nonalphanumeric characters that validate_password requires passwords to have if the password policy is MEDIUM or stronger.

    • validate_password.check_user_name=1

      Rejects passwords that match the user name part of the effective user account for the current session, either forward or in reverse.

    Note

    validate_password.dictionary_file is not used in this deployment. By default, this variable has an empty value and dictionary checks are not performed. For the dictionary file to be used during password checking, the password policy must be set to 2 (STRONG); see the description of the validate_password.policy system variable for more information.

  3. To verify component installation, query the mysql.component table:

    shell> cd /usr/local/mysql 
    shell> bin/mysqladmin -u root -p version
    Enter password: (enter root password here)
    mysql> SELECT * FROM mysql.component;
    +--------------+--------------------+------------------------------------+
    | component_id | component_group_id | component_urn                      |
    +--------------+--------------------+------------------------------------+
    |            1 |                  1 | file://component_validate_password |
    +--------------+--------------------+------------------------------------+
  4. To verify that the password validation component works, attempt to create a user with a non-compliant password:

    mysql> CREATE USER 'bob.smith'@'localhost' IDENTIFIED BY 'abc';
    ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

For more information about the password validation component, see The Password Validation Component.